在web.xml中设置"HttpOnly"和"Secure" [英] Setting 'HttpOnly' and 'Secure' in web.xml
问题描述
我需要将'HttpOnly'和'Secure'属性设置为'true',以防止和 CWE-402:将私有资源传输到新领域的缺陷来自于Veracode报告中的显示.
I need to have the 'HttpOnly' and 'Secure' attributes set to 'true' to prevent the CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute and CWE-402: Transmission of Private Resources into a New Sphere flaws from showing in the Veracode report.
进行一些在线搜索之后,似乎最好的方法是简单地如下设置项目的web.xml文件中的属性:
After doing some online searching, it seems that the best thing to do is to simply set the attributes in the project's web.xml file as follows:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
但是,我在开始标签上收到一条错误消息,提示 元素类型"session-config"的内容必须与(session-timeout)?"
However, I get an error message on the opening tag saying that "The content of element type "session-config" must match "(session-timeout)?".
我不确定这到底是什么意思.我猜想它与元素的顺序有关,但我真的不知道如何解决它.
I'm not sure what that means exactly. I'm guessing it has something to do with the order of elements but I don't really know how to fix it.
有什么想法吗?
谢谢!
推荐答案
仅在http-servlet规范3中提供对安全和仅http属性的支持.请检查web.xml中的version属性是否为"3.0".
The support for secure and http-only attribute is available only on http-servlet specification 3. Check that version attribute in your web.xml is "3.0".
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
这篇关于在web.xml中设置"HttpOnly"和"Secure"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!